Yet another 'critical' Firefox flaw

Less than 24 hours before the scheduled release of Firefox 2.0.0.2 as a high-priority browser refresh, a new "critical" vulnerability has been reported by Polish hacker Michal Zalewski.

Zalewski, who appears to be running an unofficial MOFFB (month of Firefox bugs) project, released a demo of a memory corruption issue that crashes the browser and puts users at risk of PC takeover attacks.

"Firefox is susceptible to a pretty nasty, and apparently easily exploitable memory corruption vulnerability. When a location transition occurs and the structure of a document is modified from within onUnload event handler, freed memory structures are left in inconsistent state, possibly leading to a remote compromise," Zalewski warned.

Mozilla's security team is tracking the issue.

Zalewski's ongoing browser research has also uncovered a "quite nasty" flaw in Microsoft's Internet Explorer 7.

He described the IE 7 issue as a "combination-type vulnerability" that allows the attacker to:

a) Trap the visitor in a Matrix-esque tarpit webpage that cannot be left by normal means (this is a known brain-damaged design of onUnload Javascript handlers),

b) Spoof transitions between pages so that the user thinks he actually managed to leave the affected site, and so that the URL bar displays other addresses we didn't actually go to.

"This opens a plethora of spoofing/phishing scenarios," Zalewski warned. A demonstration page is available for testing purposes.

So far this month, Zalewski's demos have included focus bugs, a location.hostname issue (critical), a blank bug, a bookmark issue and today's unload and trap flaws.